Crypto standard up for review

Federal Information Processing Standard 140-3 is open for review

By William Jackson

Jul 23, 2007

The latest version of the Federal Information Processing Standard for cryptographic modules ' intended, among other things, to add protection for smart cards ' has been released for comment by the National Institute of Standards and Technology.

Comments on the FIPS 140-3 draft (GCN.com/812) are due by Oct. 11.

The current standard, FIPS 140-2, grew out of Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. FIPS 140-1 was issued in 1994 with a requirement that it be reviewed every five years. The review and revision process can take several years, and FIPS 140-2 was approved in 2001.

The third iteration contains the updates and clarifications that every maturing standard undergoes, but it also tackles a problem of growing concern: power analysis attacks, in which a hacker reads the power fluctuations in a working smart-card cryptographic module to crack its code.

Power analysis was a relatively new technique for cracking codes in single-chip processors when FIPS 140-2 was approved, said Stan Kladko, director of the FIPS validation lab at BKP Security Labs.

Today, though, 'this is one of the bread-and-butter attacks,' said Paul Kocher, president at Cryptography Research.